test

System Administration Guide: Devices and File Systems

ProcedureHow to Configure CHAP Authentication for Your iSCSI Initiator

This procedure assumes that you are logged in to the local system where you want to securely access the configured iSCSI target device.

  1. Become superuser.

  2. Determine whether you want to configure unidirectional or bidirectional CHAP.

    • Unidirectional authentication, the default method, enables the target to validate the initiator. Complete steps 3–5 only.

    • Bidirectional authentication adds a second level of security by enabling the initiator to authenticate the target. Complete steps 3–9.

  3. Unidirectional CHAP – Set the secret key on the initiator.

    For example, the following command initiates a dialogue to define the CHAP secret key.


    initiator# iscsiadm modify initiator-node --CHAP-secret
    Note –

    The CHAP secret length must be a minimum of 12 characters and a maximum of 16 characters.

  4. (Optional) Unidirectional CHAP – Set the CHAP name on the initiator.

    By default, the initiator's CHAP name is set to the initiator node name.

    You can use the following command to change the initiator's CHAP name.


    initiator# iscsiadm modify initiator-node --CHAP-name new-CHAP-name

    In the Solaris environment, the CHAP name is always set to the initiator node name by default. The CHAP name can be set to any length text that is less than 512 bytes. The 512-byte length limit is a Solaris limitation. However, if you do not set the CHAP name, it is set to the initiator node name upon initialization.

  5. Unidirectional CHAP – Enable CHAP authentication on the initiator after the secret has been set.


    initiator# iscsiadm modify initiator-node --authentication CHAP

    CHAP requires that the initiator node have both a user name and a password. The user name is typically used by the target to look up the secret for the given username.

  6. Select one of the following to enable or disable Bidirectional CHAP.

    • Bidirectional CHAP – Enable bidirectional authentication parameters on the target.

      For example:


      initiator# iscsiadm modify target-param -B enable eui.5000ABCD78945E2B

    • Disable bidirectional CHAP. For example:


      initiator# iscsiadm modify target-param -B disable eui.5000ABCD78945E2B

  7. Bidirectional CHAP – Set the authentication method to CHAP on the target.

    For example:


    initiator# iscsiadm modify target-param --authentication CHAP eui.5000ABCD78945E2B

  8. Bidirectional CHAP – Set the target device secret key on the target.

    For example, the following command initiates a dialogue to define the CHAP secret key:


    initiator# iscsiadm modify target-param --CHAP-secret eui.5000ABCD78945E2B

  9. Bidirectional CHAP - Set the CHAP name on the target.

    By default, the target's CHAP name is set to the target name.

    You can use the following command to change the target's CHAP name:


    initiator# iscsiadm modify target-param --CHAP-name target-CHAP-name